SQL Injection [at] lapor.go.id 


23 Mei 2019 Saya ini menemukan bug SQL Injection pada website lapor.go.id, bug ini 
terdapat di halaman utama web, terletak pada formpengaduan/lapor. 


Pada saat mengakses website, kita akan langsung disuguhi denganform laporan. 
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Saya langsung mencoba melakukan test sql error query' pada bagian section Pilih Kategori. 
Qsini saya memilih pilihan "Administrasi", lalu mencoba mengubah value option 
administrasi yang sebelumnya bernilai 439, menjadi 439', saya juga mencentang checkbox 
anonim dan rahasianya. 
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[* [J] Elements Console Sources Network Performance Memory Application Security Audits 
▼ < body ciass= page-home pd t 

<div style=" posit ion: fixed; top: 0px; left : 0px; width : 0; height: 0; " id="scrollzipPoint"x/div> 

► <div id="search-bar’>_</div> 

► <nav id="leftMenu" class="navmenu navmenu-default navmenu-inverse navmenu-fixed-left offcanvas" role="navigation">._</nav> 
►cheader class="navbar-fixed-top headroom headroom--not-top headroom--not-bottom navbar-default is- hide ">„</header > 

► csection id="hero">_</section> 

▼ csection id=" complaint-box "> 

▼ <div class="container"> 

::before 

▼ <div class="row"> 

::before 

▼<div class=”col-md-8 col-md-offset-2 mg-b-40"> 

▼ <form method="POST" action="https://lapor .go.id" accept-charset=”UTF-8" data-request="complaint: ronCreate" class= 
"complaint-form" data-request-flash> 

<input name="_session_key" type=" hidden" value="VoazAvkdFyEe8YbflLo4ETlv0WLmmcYCamE7mBRw"> 

<input name="_token” type="hidden" value="zklPAaMxuhhFe0vj02rPdG5GcTyL5zvEiACRUaRL"> 

► <div class="complaint-form-body‘>-</div> 

▼ <div class="complaint-form-category"> 

▼<select class="fonn-control selectized" name="category_id" placeholder="Pilih Kategori" value tabindex="-l” 
style="display: none;“> 

••• option | value=“439'"| selected= selected Administrasi /option == SS 

</select> 

► <div class=”selectize-control form-control single”>-.</div> 

</div> 

► <div class="complaint-form-attachments">-.</div> 

▼<div class="complaint-form-footer"> 

::before 

►<div class="row-flex flex-align-between">_</div> 

::after 
</div> 

</form> 

</div> 

► <div class=”col-sm-12">..</div> 

►<div class="mg-b-40 text-center">_</div> 

::after 
</div> 

:: after 
</div> 

</section> 

►<div class="block block-success-story">_</div> 

▼ html body #complaint-box div div div form.complaint-form div.complaint-form-category selectform-control.selectized option 
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Saya juga mengisi laporannya dengan 'Test SQL Injection [at] lapor.go.id <p>Test Juga</p>". 
Lalu mengsubmitnya, dan lihat apa yangterjadi. 
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Sampaik 




SQLSTATE[01000]: Warning: 1265 Data truncated for column 
■categoryjd’ at row 1 (SQL insert into 'lapor_complaint_complaints' 

(' content'. ' categoryjd',' is_anonymous',' is_secret'. ' latitude'. 
'longitude'. 'originJatitude'. 'originjongitude'. 'userjd'. 

' channel Jd', status_updated_at'. status_code', slug', 

' updated.at'. ' created_at') values (Test SQL Injection [at] lapor.go.id 
Test Juga 

. 439'. 1.1.Z 2019-05-23 16:08:59, draft, 2019-05-23 16:08:59. 

2019-05-23 16:08:59)) 
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Test SQL Injection fat] lapor.go.id 
<g>Test Juga</g> 
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• G * V 

Filter 

0 XHR JS CSS 
Name 

Ct View: != □ Group by frame 

□ Hide data URLs 

Img Media Font Doc WS Manifest Other 

Sta... Type Initiator Size ... Waterfall 

' EBanner01.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner03.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

0 Banner02.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner04.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

O Banner05.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

Banner06.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner01.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner03.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner02.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner04.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner05.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

C Banner06.jpg 

403 

tex... 6853ff7... 

564 B ... 1 

Q lapor.go.id 

500 

xhr 15d6ac... 

863 B ... 
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▼ 13 requests I 7.5 KB transferred I 7.1 KB resources 


!N ^ 


Ya, ternyata hasilnya adalah sebuah alert yang berisikan SQL Error 

























V\telaupun alertnya tampil hanya beberapa detik, saya dapat melihat dari log http requestnya, 
seperti ini hasilnya. 
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Administrasi ▼ 
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• 0 

| Filter 

Name 

(P Banner01.jpg 
[p Banner03.jpg 
(P Banner02.jpg 
(2 Banner04.jpg 
[p Banner05.jpg 
P Banner06.jpg 
[P Banner01.jpg 
(2 Banner03.jpg 
O Banner02.jpg 
[p Banner04.jpg 
P Banner05.jpg 
P Banner06.jpg 
Q lapor.go.id 
P Banner01.jpg 
P Banner02.jpg 
P Banner03.jpg 
E Banner04.jpg 
[p Banner05.jpg 
P Banner06.jpg 
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■< 't? Q. View: != "S. O Group by frame 
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Preserve log □ Disable cache □ Offline No throttling 
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□ Hide data URLs 0 XHR JS CSS Img Media Font Doc WS Manifest Other 
X Headers Preview Response Cookies Timing 


SQLSTATE[01000]: Warning: 1265 Data truncated for column 'categorv_id' at row 1 (SQL: insert into 
Tapor_complaint_complaints' ('content','category_id\ 'is_anonymous' : is_secret', latitude', 'longitude', 

'origin_latitude','origin_longitude', user_id', 'channeled', 'status_updated_at','status_code', slug', updated_at', 
'created_at') values (Test SQL Injection [at] lapor.go.id 

Test Juga 

, 439’, 1.1...... 2. 2019-05-23 16:08:59, draft,, 2019-05-23 16:08:59, 2019-05-23 16:08:59)) 
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D'mohon pihak pembuat web/adminnya dapat memperbaiki bug tersebut. 
Terima kasih. 


Regards 

V\fehyu Andhika, 
















